diff options
| author | Kali Kaneko <kali@leap.se> | 2018-09-06 10:58:41 +0200 |
|---|---|---|
| committer | Kali Kaneko <kali@leap.se> | 2018-09-06 11:20:33 +0200 |
| commit | b7a7eb22b5d145d20083438c166d47ef3f793d8a (patch) | |
| tree | 6c945bb8dd427ba28e9fd8761c5699dcb6ff1817 | |
| parent | 5970fcb5f24105de0d5af7c7ff98faa0f3a2ab25 (diff) | |
[bug] disable temporarily ipv6 as part of the firewall
Since we're blocking ipv6, it's nice to avoid resolving dual-stack sites
to ipv6, because many tools don't work otherwise.
- Resolves: #9027
| -rwxr-xr-x | src/leap/bitmask/vpn/helpers/linux/bitmask-root | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index 73b060ad..c76100af 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -28,6 +28,9 @@ Expected paths: When installed by bundle or from git: /usr/local/sbin/bitmask-root + When installed by snap: + /snap/bin/riseup-vpn.bitmask-root + USAGE: bitmask-root firewall stop bitmask-root firewall start [restart] GATEWAY1 GATEWAY2 ... @@ -58,7 +61,7 @@ cmdcheck = subprocess.check_output # # CONSTANTS -# + def get_no_group_name(): @@ -100,6 +103,7 @@ SMTP_PORT = "2013" IP = "/sbin/ip" IPTABLES = "/sbin/iptables" IP6TABLES = "/sbin/ip6tables" +SYSCTL = "/sbin/sysctl" OPENVPN_USER = "nobody" OPENVPN_GROUP = get_no_group_name() @@ -561,6 +565,17 @@ def ip6tables(*args, **options): """ run_iptable_with_check(IP6TABLES, *args, **options) + +def toggle_ipv6(status='disable'): + if status == 'disable': + arg = 1 + elif status == 'enable': + arg = 0 + else: + return + cmdcheck([SYSCTL, '-w', 'net.ipv6.conf.all.disable_ipv6=%s' % arg]) + + # # NOTE: these tests to see if a chain exists might incorrectly return false. # This happens when there is an error in calling `iptables --list bitmask`. @@ -761,6 +776,8 @@ def firewall_start(args): elif QUBES_VER == 3: run("systemctl", "restart", "qubes-firewall.service") + toggle_ipv6('disable') + def firewall_stop(): """ @@ -839,6 +856,8 @@ def firewall_stop(): "chain (maybe it is already destroyed?)", exc) ok = False + toggle_ipv6('enable') + if not (ok or ipv4_chain_exists or ipv6_chain_exists): raise Exception("firewall might still be left up. " "Please try `firewall stop` again.") |